From 3fcd8b1bbc5e1e8175060713c47f580ed2460725 Mon Sep 17 00:00:00 2001 From: blaine-arcjet <146491715+blaine-arcjet@users.noreply.github.com> Date: Wed, 20 Nov 2024 08:20:37 -0700 Subject: [PATCH] fix(nosecone-next): Avoid overriding original headers (#2284) I found this problem with my implementation while trying to integrate `@nosecone/next` into our application. When using `x-middleware-override-headers` is set, Next.js removes all other headers, which meant that the original Request headers were removed. I also added the adapter to the bot example to make sure the original headers still exist. --- .../app/api/arcjet/route.ts | 7 +++++ examples/nextjs-bot-categories/middleware.ts | 8 +++++ nosecone-next/index.ts | 30 ++++--------------- 3 files changed, 21 insertions(+), 24 deletions(-) create mode 100644 examples/nextjs-bot-categories/middleware.ts diff --git a/examples/nextjs-bot-categories/app/api/arcjet/route.ts b/examples/nextjs-bot-categories/app/api/arcjet/route.ts index b117f0bae..88b4a4a89 100644 --- a/examples/nextjs-bot-categories/app/api/arcjet/route.ts +++ b/examples/nextjs-bot-categories/app/api/arcjet/route.ts @@ -26,6 +26,13 @@ const aj = arcjet({ export async function GET(req: Request) { const decision = await aj.protect(req); + if (decision.isErrored()) { + return NextResponse.json( + { error: decision.reason.message }, + { status: 500, statusText: "Internal Server Error" }, + ) + } + const headers = new Headers(); if (decision.reason.isBot()) { // WARNING: This is illustrative! Don't share this metadata with users; diff --git a/examples/nextjs-bot-categories/middleware.ts b/examples/nextjs-bot-categories/middleware.ts new file mode 100644 index 000000000..28c473b10 --- /dev/null +++ b/examples/nextjs-bot-categories/middleware.ts @@ -0,0 +1,8 @@ +import { createMiddleware } from "@nosecone/next"; + +export const config = { + // matcher tells Next.js which routes to run the middleware on + matcher: ["/(.*)"], +}; + +export default createMiddleware(); diff --git a/nosecone-next/index.ts b/nosecone-next/index.ts index b6b25a949..d8ee72121 100644 --- a/nosecone-next/index.ts +++ b/nosecone-next/index.ts @@ -69,29 +69,6 @@ function applyNextDefaults(options: NoseconeOptions): NoseconeOptions { }; } -// Setting specific headers is the way that Next.js implements middleware -// See: https://github.com/vercel/next.js/blob/5c45d58cd058a9683e435fd3a1a9b8fede8376c3/packages/next/src/server/web/spec-extension/response.ts#L148 -function nextMiddlewareHeaders( - headers: Record, -): Record { - const forwardedHeaders: Record = { - "x-middleware-next": "1", - }; - - // This applies the logic to forward headers from Next.js middleware - // https://github.com/vercel/next.js/blob/5c45d58cd058a9683e435fd3a1a9b8fede8376c3/packages/next/src/server/web/spec-extension/response.ts#L22-L27 - for (const [headerName, headerValue] of Object.entries(headers)) { - if (typeof headerValue !== "string") { - throw new Error(`impossible: missing value for ${headerName}`); - } - forwardedHeaders[`x-middleware-request-${headerName}`] = headerValue; - } - forwardedHeaders["x-middleware-override-headers"] = - Object.keys(headers).join(","); - - return forwardedHeaders; -} - /** * Create Next.js middleware that sets secure headers on every request. * @@ -106,7 +83,12 @@ export function createMiddleware(options: NoseconeOptions = defaults) { return new Response(null, { headers: { ...headers, - ...nextMiddlewareHeaders(headers), + // Setting this specific header is the way that Next.js implements + // middleware. See: + // https://github.com/vercel/next.js/blob/5c45d58cd058a9683e435fd3a1a9b8fede8376c3/packages/next/src/server/web/spec-extension/response.ts#L148 + // Note: we don't create the `x-middleware-override-headers` header so + // the original headers pass through + "x-middleware-next": "1", }, }); };